Professional Documents
Culture Documents
Ethical Issues
Ethics refers to the principles of right and wrong that individuals use to make choices to guide their behaviors Code of Ethics a collection of principles that are intended to guide decision making by members of the organization Responsibility means that you accept consequences of your decisions and actions
Accountability- means determination of who is responsible for actions that were taken Liability is a legal concept meaning that individuals have the right to recover the damages done to them by other individuals, organizations, or systems
Property Issues Who owns the information? What are the just and fair prices for its exchange? How should one handle software piracy Under what circumstances can one use proprietary databases Can corporate computers be used for private purposes? How should experts who contribute their knowledge contribute their knowledge to create expert systems be compensated? How should access to information channels be allocated? Accessibility Issues Who is allowed to access information? How much should companies charge for permitting accessibility to information? How can accessibility to computers b provided for employees with disabilities? Who will be provided with equipment needed for accessing information? What information does a person or an organization have a right or privileged to obtain, under what conditions and with what safeguards?
Protecting Privacy
Privacy is the right to be left alone and to be free of unreasonable personal intrusions. Information Privacy is the right to determine when, and to what extent, information about yourself can be gathered and/or communicated to others.
Advancement in technology made it easier today to collect and gather information anytime anywhere. Examples: surveillance cameras, in public places, banking transactions, credit card transactions, telephone calls, etc. These data can be integrated to produce a digital dossier, which is an electronic description of you. The process of forming a digital dossier is called profiling.
Electronic surveillance
Many companies monitor their employees usage of the internet. They use software to block connections to inappropriate websites in order to improve employee productivity. This practice is called URL filtering.
Opt-in model of informed consent, whereby a business is prohibited from collecting any personal information unless the customer specifically authorizes it.
Data Accuracy Sensitive data gathered on individuals should be verified before they are entered into the databases Data should, where and when necessary, be kept current The file should be made available so the individual an ensure that the data are correct If there is disagreement about the accuracy of the data, the individuals version should be noted and included with any disclosure of the file
Data confidentiality Computer security procedures should be implemented to ensure against unauthorized disclosure of data. These procedures should include physical, technical, and administrative measures Third parties should not be given access to data without the individuals' knowledge or permission, except as requested by law. Disclosures of data, other than the most routine, should be noted and maintained for as long as the data are maintained. Data should not be disclosed for reasons incompatible with the business objective for which they are collected.
Downstream liability Increased employee use of unmanaged devices Lack of management support
Threat to information resource is any danger to which a system may be exposed Exposure of an information resource is the harm or loss, or damage that can result if a threat compromises that resource. Vulnerability is the possibility that the system will suffer harm by threat. Information systems controls are the procedures, devices or software aimed at preventing a compromise to the system
Natural disasters
floods, earthquakes, hurricanes, etc.
Technical failures
Problems with software or hardware
Management failures
Lack of funding, lack of interest
Deliberate acts
Extortion, espionage or trespass, vandalism, theft, etc.
Human Mistakes
Tailgating Shoulder surfing Carelessness with laptops and portable devises Opening questionable e-mails Careless surfing Poor password selection and use Carelessness with ones office Carelessness using unmanaged devices Carelessness with discarded equipment
Risk analysis
Process by which an organization assesses the value of each asset being protected , prioritizes asset to be compromised based on the value
Mitigation
Implement control against threat Developing a means of recovery should the threat become a reality Strategies :
Risk acceptance Risk limitation Risk transference
Control
Physical control Communications controls